Encryption Substitutes | Privacy | Encryption

Policy experts have suggested that the rise of encrypted data is not the end of intelligence collection because law enforcement can look to substitutes

other sources of intelligence, such as metadata

that prove to be just as valuable or more valuable than decrypting encrypted data.

1

This paper focuses on the other side of that insight: on the substitutes available for privacy-seekers beyond encryption, such as placing ones data in a jurisdiction that is beyond the reach of law enforcement. This framework puts encryption in context: there are many ways to keep ones data private, just as there are many ways that the government might get access to that data. While encryption is typically treated as a stand-alone computer security issue, it is a piece of a larger debate about government access to personal data.

2

Law enforcement ofcials are, in general, agnostic about the method through which they obtain evidence

what matters is obtaining it. Privacy-seekers are similarly agnostic about how they secure their privacy

what matters is having it. This means that policymakers have a wide set of options

not only about

whether

to allow law enforcement to access personal data, but also

how

to do so. This wide set of options is not reected in the debate over encryption, which is typically framed in all-or-nothing terms. Some privacy advocates take a stance that seems to allow no room for compromise (an argument that can be boiled down to its math!

3

) and some government actors do the same (essentially arguing, its terrorism!

4

). Widening the scope of the policy discussion to include related issues

what I will call encryption substitutes

may increase the chances of compromise and may generate better policy.In this short essay, I make a few simple assumptions that bear mentioning at the outset. First, I assume that governments have good and legitimate reasons for getting access to personal data. These include things like controlling crime, ghting terrorism, and regulating territorial borders. Second, I assume that people have a right to expect privacy in their personal data. Therefore, policymakers should seek to satisfy both law enforcement and privacy concerns without unduly burdening one or the other. Of course, much of the debate over government access to data is about how to respect